Hide your kids, hide your BTC: Bitcoin-stealing malware emerges

Click-bait to an exchange lookalike site drops malware to steal from accounts.

The MT.Gox lookalike site that delivered malware to unwitting Bitcoiners.

In another example of the security mantra of "be careful what you click," at least one Bitcoin trader has been robbed in a forum "phishing" attack designed specifically to ride the hype around the digital currency. The attack attempts to use Java exploits or fake Adobe updates to install malware, and it's one of the first targeted attacks aimed at the burgeoning business of Bitcoin exchanges.

The bait for the attack was a post to a Bitcoin traders' forum announcing that MT.Gox was going to start handling exchanges of Litecoins, a Bitcoin alternative. The post advertised a live chat on the topic at a link provided to mtgox-chat.info. That site, which used stolen code and style to masquerade as the legitimate MT.Gox site, then prompted victims to update their Java plugin and offered a forged Adobe updater.

The scam was first reported on reddit earlier this week, when a redditor reported spotting the fake site and its attempt to drop malware. While the attack was originally described by one of its victims as a "Java zero-day" exploit, it actually uses either a Java exploit or a fake Adobe updater to deliver its malware payload. That payload is DarkComet, a fairly common "remote administration tool" and keylogger. The attackers not only stole credentials for the victim's MT.Gox account, but they took other passwords as well.

Enlarge/ The spoofed site attempts to get users to install an "Adobe" update from a site in the Netherlands. The update is actually a malware dropper.

Sean Gallagher

The victim of the forum phish who reported the attack, posting under the username "bitbully," admitted that he should have been using two-factor authentication. "Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd (authentication) method when Bitcoins started exploding in value," he said in his post to Bitcointalk.com. "But still, this attack is rather basic and should not be possible on a site at the level of MT.Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+."

There's no indication that the security of MT.Gox had anything to do with the breach. The impostor site purportedly used to infect bitbully had nothing to do with the Bitcoin exchange.

This type of attack is de rigeur in the financial world, according to George Waller, the executive vice president of Strikeforce Technologies, a security software firm specializing in two-factor authentication and anti-keylogging software for the financial industry. "Driving people to a site to download malware is one of the most common attacks today," he told Ars. "You go to a site from a forum and get prompted for Java or Adobe updates—and in the majority of those updates they drop in a keylogger. Since they're written to get around antivirus scans, AV software is useless against this sort of pervasive malware today."

That's particularly the case in large-scale targeted attacks against businesses, where large-scale cyber-fraud operations typically deploy custom-written keyloggers and other remote administration tools. A recent report by security firm Trustwave found that 70 percent of targeted attacks on corporations used Java and other exploits through versions of the Blackhole Web exploit kit to drop their malware. Fifty percent used keyloggers and other memory scraping malware to capture data.

The targeted attack wasn't the only problem facing the MT.Gox exchange. Some users have found it difficult to reach the site at all, and some believed MT.Gox was the victim of a distributed denial of service attack on the night of April 10. In a Facebook posting, the exchange told customers that the site's availability problems were not a DDoS attack, but that the site was a "victim of our own success."

"Indeed the rather astonishing amount of new accounts opened in the last few days added to the existing one plus the number of trade made a huge impact on the overall system that started to lag," a company spokesperson wrote in the post. "As expected in such a situation, people started to panic, started to sell Bitcoin in mass (Panic Sale) resulting in an increase of trade that ultimately froze the trade engine!"

As a result, the company says it is working to beef up its infrastructure, but MT.Gox has not given many details on what is being done. "Also please note that we may have to close the exchange for two hours in the next 12 to 24 hours to add several new servers to our system," the Facebook notice said.

Update: True to its word, the company has shut down trading today. MT.Gox posted to its website that trading will resume at 11:00 AM Japan time on Thursday after being down for about 12 hours. The shutdown, while called a "trading cooldown" in the title of the post, is purportedly to allow for database upgrades to accommodate the heavy trading volume.

You could certainly get hit by this exploit if you skip Security 101. Are bitcoin users not also "power users"? Honest question - it takes a little work to get going, so I'm surprised anyone using bitcoins would actually get hit by such a dumb move on their part.

You could certainly get hit by this exploit if you skip Security 101. Are bitcoin users not also "power users"? Honest question - it takes a little work to get going, so I'm surprised anyone using bitcoins would actually get hit by such a dumb move on their part.

As a hot new commodity, Bitcoin is now attracting less technically adept speculators and opportunists; they have no interest in Bitcoin as a currency and no intellectual interest. The skills required for farming/mining aren't really that steep: if a person can source and build his own PC and knows how to do basic research, then building a rig for Bitcoin mining probably ain't that difficult. Increasingly there will be products and software that simplify the process and lower the technical bar even further.

You could certainly get hit by this exploit if you skip Security 101. Are bitcoin users not also "power users"? Honest question - it takes a little work to get going, so I'm surprised anyone using bitcoins would actually get hit by such a dumb move on their part.

As a hot new commodity, Bitcoin is now attracting less technically adept speculators and opportunists; they have no interest in Bitcoin as a currency and no intellectual interest. The skills required for farming/mining aren't really that steep: if a person can source and build his own PC and knows how to do basic research, then building a rig for Bitcoin mining probably ain't that difficult. Increasingly there will be products and software that simplify the process and lower the technical bar even further.

Exactly, this++. You throw in the HUGE media attention, particularly after the recent events over at Reddit regarding Bitcoin and you now have a much wider audience paying attention. It is breaking out of its niche as an underground hacker/nerd/criminal currency and will likely begin to appeal to less tech-savvy individuals who are merely interested in the prospects of gambling to secure a quick return on investment. Personally, I wouldn't be surprised to learn that the recent events surrounding Bitcoin were intentionally orchestrated as a means to dupe the uninformed into getting involved with the system in order to spread this malware and create more targets.

You could certainly get hit by this exploit if you skip Security 101. Are bitcoin users not also "power users"? Honest question - it takes a little work to get going, so I'm surprised anyone using bitcoins would actually get hit by such a dumb move on their part.

Originally, I would say 100% so. But with ever increasing value and media time that they are getting, I'm sure there is a growing number of traditional computer users (meaning not your tech-savvy type) looking for a quick buck.

You could certainly get hit by this exploit if you skip Security 101. Are bitcoin users not also "power users"? Honest question - it takes a little work to get going, so I'm surprised anyone using bitcoins would actually get hit by such a dumb move on their part.

Originally, I would say 100% so. But with ever increasing value and media time that they are getting, I'm sure there is a growing number of traditional computer users (meaning not your tech-savvy type) looking for a quick buck.

Not only that, but as the value of bitcoin increases (assuming it does, of course) and it gets more media attention, we will also see increasingly more sophisticated attacks, as people who are really good at those kind of things start paying more attention.

When I predicted this sort of thing in the previous Bitcoin thread I got nothing but down-votes.

It's not that complicated: when the stakes get high enough a system attracts more attacks and social scammers. It has happened all throughout history, and this is just the latest (temporarily) high-value target.

These are just attacks made to a new protocol that are based on new sites, servers and networking holes. In other words, keep your precious coins offline in an encrypted wallet for now. Some send Bitcoin to hell, others embrace it, whatever it is it isn't going nowhere.

*Clicks Litecoin link**Reads that it has the same deflationary curve as Bitcoin**Slams head on desk*

If ANYONE out there wants to launch another one of these coins, for the love of cheese, consult a damn economist.

I'd be surprised if something that seems to be superficially "bitcoin that we're the early adopters on" was anything more than an intentional version of the pyramid scheme that bitcoin seems to have become. (I use pyramid scheme as shorthand here, I don't know the proper term for something like this, but most people at least understand the negative connotations if I use it.)

*Clicks Litecoin link**Reads that it has the same deflationary curve as Bitcoin**Slams head on desk*

If ANYONE out there wants to launch another one of these coins, for the love of cheese, consult a damn economist.

If you aren't trading bitcoins, the deflationary curve doesn't matter. If bitcoin lasts long enough for the decreasing block reward to become significant, it will be dominant enough that goods and services will be priced in bitcoin exclusively, with no regard as to the price in other currencies. At that point, it simply won't matter whether bitcoin is "deflationary" or not; a 1mBTC cake will be a 1mBTC cake regardless of whether 1 BTC trades for $1000 or $1100.

*Clicks Litecoin link**Reads that it has the same deflationary curve as Bitcoin**Slams head on desk*

If ANYONE out there wants to launch another one of these coins, for the love of cheese, consult a damn economist.

I'd be surprised if something that seems to be superficially "bitcoin that we're the early adopters on" was anything more than an intentional version of the pyramid scheme that bitcoin seems to have become. (I use pyramid scheme as shorthand here, I don't know the proper term for something like this, but most people at least understand the negative connotations if I use it.)

It isn't a pyramid scheme when anyone can mine for them. It's a gold rush, not a pyramid/Ponzi scheme.

Those who struck gold early while it was easy to find amassed a lot of it, while those who waited are finding it a lot harder get the same quantities. But anyone can still go out and mine for gold/bitcoins,

*Clicks Litecoin link**Reads that it has the same deflationary curve as Bitcoin**Slams head on desk*

If ANYONE out there wants to launch another one of these coins, for the love of cheese, consult a damn economist.

I'd be surprised if something that seems to be superficially "bitcoin that we're the early adopters on" was anything more than an intentional version of the pyramid scheme that bitcoin seems to have become. (I use pyramid scheme as shorthand here, I don't know the proper term for something like this, but most people at least understand the negative connotations if I use it.)

It isn't a pyramid scheme when anyone can mine for them. It's a gold rush, not a pyramid/Ponzi scheme.

Those who struck gold early while it was easy to find amassed a lot of it, while those who waited are finding it a lot harder get the same quantities. But anyone can still go out and mine for gold/bitcoins,

When I predicted this sort of thing in the previous Bitcoin thread I got nothing but down-votes.

It's not that complicated: when the stakes get high enough a system attracts more attacks and social scammers. It has happened all throughout history, and this is just the latest (temporarily) high-value target.

NEVER click on anything containing the word Adobe. It results in you losing control of your machine and wasting time, money and CPU cycles. (And that's if you're lucky and don't get the hacked updater.)

*Clicks Litecoin link**Reads that it has the same deflationary curve as Bitcoin**Slams head on desk*

If ANYONE out there wants to launch another one of these coins, for the love of cheese, consult a damn economist.

I'd be surprised if something that seems to be superficially "bitcoin that we're the early adopters on" was anything more than an intentional version of the pyramid scheme that bitcoin seems to have become. (I use pyramid scheme as shorthand here, I don't know the proper term for something like this, but most people at least understand the negative connotations if I use it.)

It isn't a pyramid scheme when anyone can mine for them. It's a gold rush, not a pyramid/Ponzi scheme.

Those who struck gold early while it was easy to find amassed a lot of it, while those who waited are finding it a lot harder get the same quantities. But anyone can still go out and mine for gold/bitcoins,

It IS a pyramid scheme actually. If you buy into the currency, then your goal is to sell out of the currency with more money than you bought into it for. Thus, early users are entirely dependent on later users for the money to have any value at all, and as the value cannot inflate indefinitely, there's a point at which it crashes because the latest generation cannot get more money out of it, and therefore the currency drops in value as people sell back out of it for what they can, eventually sparking a run, crash, ect.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.